Organizations: Learn what defines report severity

Updated over a week ago

Reports are marked with a severity rating to show how severe the vulnerability is in the report submission form. The severity rating can be seen on reports, Hacktivity, and in the Inbox. On HackerOne, severity is particularly useful for structuring bounty ranges and is used when offering bounty recommendations.

The severity level can be marked as:

  • None

  • Low

  • Medium

  • High

  • Critical

Hackers can either use manual severity selection and select one of these severity levels based on their judgment of the vulnerability or use a CVSS calculator to give more information about the vulnerability and calculate an exact CVSS score.

The Common Vulnerability Scoring System (CVSS) is an industry-standard calculator used to determine the severity of a vulnerability. The standard enables a common language around the severity of vulnerabilities. HackerOne offers a custom implementation of CVSS 3.0 as well as a standard implementation of CVSS 3.1.

If your program has a unique severity approach, describe it on your Security Page and let hackers manually select severity.

Reports can be linked to an asset. In these cases, the asset's environmental metrics and maximum severity are taken into consideration when assigning the score.

Assigning severities can be made compulsory by configuring this in the submission requirements.

You can read more details about CVSS here or check out our blog post.

Did this answer your question?